Secure database backup and recovery

ABSTRACT

As disclosed herein a computer system for secure database backup and recovery in a secure database network has N distributed data nodes. The computer system includes program instructions that include instructions to receive a database backup file, fragment the file using a fragment engine, and associate each fragment with one node, where the fragment is not stored on the associated node. The program instructions further include instructions to encrypt each fragment using a first encryption key, and store, randomly, encrypted fragments on the distributed data nodes. The program instructions further include instructions to retrieve the encrypted fragments, decrypt the encrypted fragments using the first encryption key, re-encrypt the decrypted fragments using a different encryption key, and store, randomly, the re-encrypted fragments on the distributed data nodes. A computer program product and method corresponding to the above computer system are also disclosed herein.

BACKGROUND

This invention relates to database backup and recovery and moreparticularly to secure database backup and recovery.

Database file systems typically store large amounts of data. To ensurethat the data stored in the database file system can be recovered in theevent of a failure and/or corruption of data, the database file systemdata is typically backed up on a frequent basis. Backing up data in adatabase file system involves creating a copy of data that is to bebacked up and stored in a separate site from the database file systemdisks. Typically, database file system data is copied to secondarystorage (for example local drives and network drives).

SUMMARY

As disclosed herein, a computer system for secure database backup andrecovery in a secure database network has N distributed data nodes. Thecomputer system includes one or more computer processors, one or morecomputer readable storage media, and program instructions stored on theone or more computer readable storage media, and program instructionstored on the one or more computer readable storage media for executionby at least one of the one or more processors. The program instructionsinclude instructions to receive a database backup file from a databasesystem, fragment the file into a plurality of fragments using a fragmentengine, and associate each fragment of the plurality of fragments withone node of the plurality of distributed data nodes, respectively,wherein the fragment is not stored on the node with which the fragmentis associated. The program instructions further include instructions toencrypt each fragment of the plurality of fragments using a firstencryption key, thereby providing a plurality of encrypted fragments,and store, randomly, the plurality of encrypted fragments on theplurality of distributed data nodes. The program instructions furtherinclude instructions to retrieve, after a determined duration, theplurality of encrypted fragments, decrypt the plurality of encryptedfragments using the first encryption key, thereby providing a pluralityof decrypted fragments, re-encrypt the plurality of decrypted fragmentsusing a different encryption key, thereby providing a plurality ofre-encrypted fragments, and store, randomly, the plurality ofre-encrypted fragments on the plurality of distributed data nodes. Acomputer program product and method corresponding to the above computersystem are also disclosed herein.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a deployment diagram, in accordance with at least oneembodiment of the present invention;

FIG. 2 is a component diagram depicting a secure backup system, inaccordance with at least one embodiment of the present invention;

FIG. 3 is a flowchart of a secure backup method, in accordance with atleast one embodiment of the present invention;

FIG. 4 is an example of database backup being fragmented anddistributed, in accordance with at least one embodiment of the presentinvention; and

FIG. 5 is the example being decrypted, encrypted again andredistributed, in accordance with at least one embodiment of the presentinvention.

DETAILED DESCRIPTION

File system administrators try to protect backups against unrecoverabledamage to file systems and storage systems that host the data. However,current protection solutions continue to require significant investmentsin hands-on administration, time allocation, and storage spaceconsumption. The most common means of providing security for a backup isto use encryption, however there is a significant risk that the backupmay be compromised. While such authentication protocols reduce the riskof unauthorized access to the backup, they suffer from a number oflimitations.

Further, the problem of generating and protecting database backups takesthe limitation (regardless of the user authentication scheme used) thatthe information is centered in a single backup unit and usually kept ina single place for prolonged periods of time without proper monitoring.Therefore, there is a need for improved approaches for implementingsecure database backup and recovery systems in database corporateapplications. Referring to FIG. 1, the deployment of one embodiment in adatabase system 10 is described. Database system 10 is operational withnumerous other general purpose or special purpose computing systemenvironments or configurations. Examples of well-known computingprocessing systems, environments, and/or configurations that may besuitable for use with database system 10 include, but are not limitedto, personal computer systems, server computer systems, thin clients,thick clients, hand-held or laptop devices, multiprocessor systems,microprocessor-based systems, set top boxes, programmable consumerelectronics, network PCs, minicomputer systems, mainframe computersystems, and distributed cloud computing environments that include anyof the above systems or devices.

Database system 10 may be described in the general context of computersystem-executable instructions, such as program modules, being executedby a computer processor. Generally, program modules may includeroutines, programs, objects, components, logic, and data structures thatperform particular tasks or implement particular abstract data types.Database system 10 may be embodied in distributed cloud computingenvironments where tasks are performed by remote processing devices thatare linked through a communications network. In a distributed cloudcomputing environment, program modules may be located in both local andremote computer system storage media including memory storage devices.

Database system 10 comprises: general-purpose computer server 12 and oneor more input devices and output devices (not shown) directly attachedto the computer server 12. Database system 10 is connected to a securenetwork 20. Database system 10 communicates with a user using inputdevices and output devices (not shown). Input devices include one ormore of: a keyboard, a scanner, a mouse, trackball or another pointingdevice. Output devices include one or more of a display or a printer.Database system 10 communicates with secure sites 110A to 110D overnetwork 20. Secure network 20 can be a local area network (LAN), a widearea network (WAN), or the Internet when using secure channels.

Computer server 12 comprises: central processing unit (CPU) 22; networkadapter 24; device adapter 26; bus 28 and memory 30.

CPU 22 loads machine instructions from memory 30 and performs machineoperations in response to the instructions. Such machine operationsinclude: incrementing or decrementing a value in a register;transferring a value from memory 30 to a register or vice versa;branching to a different location in memory if a condition is true orfalse (also known as a conditional branch instruction); and adding orsubtracting the values in two different registers and loading the resultin another register. A typical CPU can perform many different machineoperations. A set of machine instructions is called a machine codeprogram, the machine instructions are written in a machine code languagewhich is referred to a low level language. A computer program written ina high level language needs to be compiled to a machine code programbefore it can be run. Alternatively a machine code program such as avirtual machine or an interpreter can interpret a high level language interms of machine operations.

Network adapter 24 is connected to bus 28 and network 20 for enablingcommunication between the computer server 12 and network devices. Deviceadapter 26 is connected to bus 28 and input devices and output devicesfor enabling communication between computer server 12 and input devicesand output devices. Bus 28 couples the main system components togetherincluding memory 30 to CPU 22. Bus 28 represents one or more of any ofseveral types of bus structures, including a memory bus or memorycontroller, a peripheral bus, an accelerated graphics port, and aprocessor or local bus using any of a variety of bus architectures. Byway of example, and not limitation, such architectures include IndustryStandard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus,Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA)local bus, and Peripheral Component Interconnects (PCI) bus.

Memory 30 includes computer system readable media in the form ofvolatile memory and non-volatile or persistent memory (not shown).Examples of volatile memory are random access memory (RAM) and cachememory. Generally volatile memory is used because it is faster andgenerally non-volatile memory is used because it will hold the data forlonger. Database system 10 may further include other removable and/ornon-removable, volatile and/or non-volatile computer system storagemedia. By way of example only, persistent memory 34 can be provided forreading from and writing to a non-removable, non-volatile magnetic media(not shown and typically a magnetic hard disk or solid-state drive).Although not shown, further storage media may be provided including: anexternal port for removable, non-volatile solid-state memory; and anoptical disk drive for reading from or writing to a removable,non-volatile optical disk such as a compact disk (CD), digital videodisk (DVD) or Blu-ray. In such instances, each can be connected to bus28 by one or more data media interfaces. As will be further depicted anddescribed below, memory 30 may include at least one program producthaving a set (for example, at least one) of program modules that areconfigured to carry out the functions of embodiments of the invention.

The set of program modules configured to carry out the functions of oneembodiment comprise: database module 100; agent 101, data module 102;database backup 104; and secure backup system 200. Further programmodules that support the embodiment but are not shown include firmware,boot strap program, operating system, and support applications. Each ofthe operating system, support applications, other program modules, andprogram data or some combination thereof, may include an implementationof a networking environment.

Database system 10 communicates with secure sites 110A to 110D over atleast one secure network 20 (such as a corporate local area network(LAN), a corporate general wide area network (WAN)) via network adapter24. Network adapter 24 communicates with the other components ofcomputer server 12 via bus 28. It should be understood that although notshown, other hardware and/or software components could be used inconjunction with database system 10. Examples, include, but are notlimited to: microcode, device drivers, redundant processing units,external disk drive arrays, redundant array of independent disks (RAID),tape drives, and data archival storage systems.

Secure sites 110A to 110D each comprise respective databases 112A to112D and sensors 114A to 114D. A secure site is normally a distributedsystem but it is enough that a secure site is isolated from other securesites. Databases 112A to 112D are any storage system that can store afragment of a backup database. Sensors 114A to 114D are for listeningfor communication requests and sending back responses including a storedfragment.

Database module 100 comprises processing logical for a prior artdatabase system. Data module 102 is storage for the data of the databasesystem. Database backup 104 comprises a copy of the data in serial orbackup form that may be used to rebuild the database if the originaldata becomes corrupt.

Secure backup system 200 comprises the main processing logic for thepresent embodiment. Referring to FIG. 2, secure backup system 200comprises the following components: policy rules 202; database metadata204; key generator and store 206; fragment engine 208; encryption engine210; coordination engine 212; and secure backup method 300.

Policy rules 202 are for defining the rules when and how the securebackup system operates. For instance a rule could define that fragmentsare gathered up and redistributed every week or a rule could be definedthat fragments are gathered and redistributed upon an event such as asuch as creation of a new backup file.

Database metadata 204 stores metadata relating to the backup fileincluding a map of how to rebuild the backup file from the fragments.Database metadata 204 also stores metadata for each fragment including anode name for the node (that the fragment is not sent to) and theencryption key. Database metadata 204 also stores a temporary list ofnode and associated node addresses that is used for distribution offragments but not used to record which fragments are sent to which node.Key generator and store 206 is for generating the encryption keys.

Fragment engine 208 is for fragmenting a backup file into fragments andfor creating a fragment index for rebuilding the backup file. Thefragment index comprises instructions for assembling the fragments inthe correction order. Fragment engine 208 is also for rebuilding backupfile from said fragments and said fragment index.

Encryption engine 210 is for encrypting and decrypting fragmentsaccording to associated keys.

Coordination engine 212 is for associating each fragment with a distinctnode that will not be used to store said fragment. The fragment nodeassociations are stored in fragment node association table 400.Coordination engine 212 is also for coordinating the storing of thefragments on a different node to where it was retrieved from.

In some embodiments, secure backup method 300 manages the components ofsecure backup system 200. Preferably the coordination engine mayassociate each fragment with two or more nodes such that none of saidtwo or more nodes will be used to store said fragment. In anotherembodiment the coordination engine may associate each fragment with twoor more nodes such that only said nodes will be used to store saidfragment. Thereby a node or site will never see all of the fragmentswithin the lifetime of the backup. The embodiments prevent a patientattacker from collecting all of the database pieces by simply ‘waiting’long enough on a single node. In one embodiment the number of fragmentsis less than or equal to the number of nodes N but other embodiments areenvisioned where n could be more than N. The number of nodes N can beincreased before distributing the fragments.

Some embodiments provide methods and systems for securely backing up andrecovering a database file system. The embodiments take a new view ofthe problem for securely generating and recovering database backups in away that recognizes that backups kept statically in a unique place andexposed for major periods of time inevitably make the backup moresensitive to unauthorized access. Certain embodiments address thisproblem by fragmenting a backup into a number of different encryptedpieces, sending the pieces to distinct secure sites in a secure networksuch as a corporate network, and where each backup piece changesposition regularly and randomly in the secure network. Upon a valid userrestore command, all the backup pieces are gathered, merged andpresented to the user. Some embodiments focus on a method and a systemwhere backup pieces are constantly changing nodes within the network andwhere the temporary site is determined by using a randomizing algorithmin a way that any motion pattern of the backup pieces are impossible todiscover or to be anticipated by unauthorized users.

In some embodiments, database systems are not aware of the locations ofthe different backup pieces in the network. In some embodiments, storingand retrieval of fragments is performed by agents in the database systemand sensors in the data nodes whereby fragment node location is notstored in the database system. In other embodiments, the fragment nodelocation is deleted from the database after movement of fragmentswhereby the database system cannot be queried about the location of thesites and whereby the database system is not aware of the location ofeach fragment across the N sites. In such embodiments the accumulationof all the backup pieces in temporal archive images for any particulardisk is prevented, for example, if there are N sites, each backup piececan only ever be allowed to be moved between N-1 sites. For example, amethod of randomly distributing backup fragments such that any one nodewill never see all of the fragments within the lifetime of the backup.In other embodiments, after retrieving each fragment from a respectivenode, said fragment is stored again on a different node from the node itwas retrieved from. Advantageously, said system further comprising a keygenerator and key store for fragmenting the key; encrypting each keyfragment; and storing each encrypted key fragment with a backupfragment. More advantageously said database metadata is added to thefragment whereby database metadata is fragmented and distributed. Stillmore advantageously such database metadata includes, but is not limitedto, network configuration, database node locations and backup imageexpiration. Even more advantageously said database metadata is validatedduring retrieval to demonstrate a secure method.

Suitably a randomizing algorithm determines the destination node of thefragment whereby it is difficult to discover any motion pattern of thefragments. More suitably said encryption is public/private keyencryption.

Referring to FIG. 3, secure backup method 300 comprises logical processsteps 301 to 316 performed over four phases. Secure backup method 300may be executed by the database system.

Phase 1) Fragmenting a database backup.

Step 301 is for fragmenting a database backup into fragments andcreating a fragment index for reassembling the fragments. Step 301 isalso for generating an encryption key. The method is initiated upon auser request command. The database data is fragmented in a random mannerThis may be done using a secret sharing algorithm such as Shamir (asdescribed in “How to share a secret”, Communications of the ACM 22(11):612-613), or Asmuth-Bloom (“A modular approach to key safeguarding”, C.A. Asmuth and J. Bloom. IEEE Transactions on Information Theory,IT-29(2):208-210, 1983), among others. Since any piece of the backup canbe represented as a sequence of bits, this order of bits can be splitinto x pieces (where each piece has N=K/x bits), the secret sharingrefers to dividing secret information into N pieces of share informationsuch that the secret information is restored only in the case where allpieces of share information share(1), . . . , share(N) are given, secretinformation SE can be restored, but even if (N-1) pieces of arbitraryshare information share are given, the secret information SE cannot beobtained at all.

In some embodiments, metadata is added to the encryption key of thebackup, where the encryption key is fragmented and each piece encryptedand randomly distributed on the secure network, where each piece isregularly and randomly changing the position in the secure network. Thiswill allow enhanced security between the database system and the backupimage itself. Such metadata could include, but is not limited to, subnetinformation, geotagging of the database system location, backup imageexpiration. In the event that metadata is present on the encryption keyof the backup image the corresponding matching data must be validatedagainst the database system, for example, the backup image can only berestored to a specific database system in a specific subnet. Otherpossible usage of this metadata could be to set expiry dates for thebackup images, for example, once said date is passed then the backupimage cannot be restored to any database system.

Phase 2) Encrypting the backup pieces.

Step 302 is for encrypting the backup fragments. Each fragment isencrypted by using known public key encryption such as RSA encryption(based on an algorithm for private/public-key cryptography from R. L.Rivest, A. Shamir, and L. Adleman, A method for obtaining digitalsignatures and public-key crypto systems, Communications of the ACM 22(11): 612-613. Step 301 is for fragmenting a database backup intofragments and creating a fragment index for reassembling the fragments.Step 301 is also for generating an encryption key. The method isinitiated upon a user request command The database data is fragmented ina random manner. This may be done using a secret sharing algorithm suchas Shamir (as described in “How to share a secret”, Communications ofthe ACM 22 (11): 612-613), or Asmuth-Bloom (“A modular approach to keysafeguarding”, C. A. Asmuth and J. Bloom. IEEE Transactions onInformation Theory, IT-29(2):208-210, 1983), among others. Since anypiece of the backup can be represented as a sequence of bits, this orderof bits can be split into x pieces (where each piece has N=K/x bits),the secret sharing refers to dividing secret information into N piecesof share information such that the secret information is restored onlyin the case where all pieces of share information share(1), . . . ,share(N) are given, secret information SE1 can be restored, but even if(N-1) pieces of arbitrary share information share are given, the secretinformation SE cannot be obtained at all.

While the public key can be known to everyone and is used for encryptingmessages, the messages encrypted with the public key can only bedecrypted using the private key. The public key consists of two integers(n; e) and the private key consists of two integers (n; d). Tocommunicate a message, which has been agreed-upon to be an integer mwith 1.1toreq.m.1toreq.n, sender uses the public key to compute thecipher c=m.sup.c mod n and transmits it to receiver. To decipher themessage, receiver uses its private key to compute c.sup.d mod n, whichgives exactly m.

Phase 3) Storing and managing the backup fragments on a secure network.

Step 304 is for sending backup fragments to new remote sites in thesecure network. The process of managing and transporting the backupfragments can be done by the database management system and by usingdatabase agents. Database agents are engine dispatchable unit (EDU)processes or threads. Database agents do the work in the databasemanager that applications request. In UNIX® environments, these agentsrun as processes. In Intel based operating systems such as MicrosoftWindows®, the agents run as threads. Unix is a registered trademark ofThe Open Group. Microsoft and Windows are registered trademarks ofMicrosoft Corporation in the US and/or other countries.

After all the fragments are encrypted, database agents are activated tomove the backup pieces to distinct sites in the secure network known tobe secure. The sites can be located in drives, in a single server or indifferent servers across the secure network. The distribution of thefragments is made using a randomizing algorithm in a way that any motionpattern of the backup pieces is practically undiscoverable byunauthorized users. The step further includes and setting an unallowablesite for each fragment where the fragment is not to be stored. This actsas a security enhancement in a way that prevents three possiblesituations: (1) accumulation of all the backup pieces in temporalarchive images for any particular disk, for example, if there are Nsites, each backup piece can only ever be allowed to be moved betweenN-1 sites; (2) prevent a patient attacker from collecting all of thedatabase pieces by simply ‘waiting’ long enough on a single node; and(3) ensure that full randomized scenario cannot be pieced together fromarchived disk image backups. The database system sends the fragments todestination nodes and does not retain information about which fragmentis sent to which destination node. As such the database system is notaware of the final destination of the backup pieces and every time theyare moved to new sites.

The database system comprises several sensors spread across the securenetwork that identify the activity done by the database agents at theremote sites. Each sensor comprises an adapter configured to gatherdetected actions of the database agents happening at the remote sites ofthe corporate network and packaging the same information it in aspecific format for sending to the database system upon request. Thesensors may be hardware or software based or a combination of both. Insome embodiments, examples of sensors are third-party sensors like Snortsensors and/or Nessus sensors. Snort is an open source intrusionprevention system capable of real-time traffic analysis and packetlogging, see snort.org. Nessus is a global standard in detecting andassessing network data from Tenable Network Security Inc. Nessus andTenable are trademarks in the US and/or other countries of TenableNetwork Security Inc. The threat prevention components of a sensorinclude a packet classifier, which decides which packets are inspected.If a packet matches any one of several predefined rules contained withinthe rules set, the packet is flagged and reported as a alert.Accordingly, the rule set may comprises rules amended and/or updated orexpanded to include the database system specific rules. Alerts are thenconverted into specific format by adapters and sent to the databasesystem upon request.

Step 306 is for checking policy rules. If a policy rule is due then step308 else step 310. As previously mentioned, the fragments changeposition regularly according to a set of policy rules, such as themaximum allowed time in the same site, or the frequency of stays in aspecific site, among others.

Step 308 is for broadcasting a message to the remote sites. A delay maybe used according to the security requirements of the database system.In response the remote sites send back any fragments that are storedsuch that the fragments are retrieved from remote sites. Next the methodreturns to step 304. When a new change in position is required for eachof the backup pieces, the database system sends a broadcast message tothe corporate network for each sensor. The message requests the site ofa specific backup piece. In the sensors where activity data was gatheredan acknowledge receipt is generated upon the database request containingthe information for a specific backup piece. The information is thenconverted into specific format and encapsulated in a packet that is sentback to the database system. The database system retrieves the receiptcontaining the information about the site where a specific backup pieceis positioned from the relevant sensors and by using a pure randomalgorithm generates a new site position for each of the backup pieces.Database agents are then activated to move the backup pieces to newdistinct sites in the corporate network, and this information is notretained by the database system. As such the database system is alwaysunaware of the several backup pieces across the corporate network. Thisprocess is repeated every time the backup pieces change the position inthe corporate network.

Phase 4) Recover and merge the database backup.

Step 310 is for checking if there is a valid user command and branchingto step 312 if so. If there is no valid user command then the processbranches to step 308.

Step 312 is for broadcasting a message and retrieving fragments fromremote sites. When a valid user access command is received, the databasesystem sends a broadcast message to the corporate network for eachsensor. The message requests the site of each specific backup piece. Inthe sensors where activity data was generated for the activities of thedatabase agents, the database request is acknowledged and a receipt withthe data is then converted into specific format and encapsulated in aspecial transmission packet that is transmitted back to the databasesystem.

Step 314 is for gathering fragments from remote sites to merge locationand decrypt. The database agents are activated to retrieve all thefragments from each site and gather all the fragments in a merge site.Once at the merge site, the database system using a decrypting functiondecrypts each fragment.

Step 316 is for merging fragments and presenting to a user. A mergefunction joins the decrypted fragments using the fragment index into asingle backup presented to the user. The merge operation is conducted bysorting each fragment from the initial backup and keeping the fragmentindex in the same order in which the matching backup piece was in theinitial backup file system. The merge of all the pieces of shareinformation from each backup piece is done by merging bits of the piecesof share information so that the order of the fragment index of theinitial backup is kept.

The restore processes validates the metadata on the encryption key ofthe backup. In the event that backup piece contains any of the securitymetadata validation will be performed against the current databasesystem instance. The subnet of the database system will be comparedagainst the permitted subnet(s) on the backup piece, in the event thesubnet of the current database system then the restore process willabort. Likewise, if the current system date and time has gone beyond theimage expiration date the restore operation will abort. The same conceptapplies to geo-tagging and other possible security metadata tags thathave not been explicitly stated in the disclosure.

Fragments are not stored on their respective associated node but only onnodes that are not associated with them. The embodiments focus on amethod and a system where backup pieces are constantly changing nodeswithin the network and where the temporary site is determined by using arandomizing algorithm in a way that any motion pattern of the backuppieces is impossible to discover or to be anticipated by unauthorizedusers.

In such embodiments the accumulation of all the backup pieces intemporal archive images is prevented, for example, if there are N sites,each backup piece can only ever be allowed to be moved between N-1 sites(for example, a method of randomly distributing backup fragments suchthat any one node will never see all of the fragments within thelifetime of the backup).

Referring to FIGS. 4 and 5, an example of the operation of oneembodiment is described. Referring to FIG. 4, database backup 104 isabove to be converted into fragments as indicated by the dash line inthe interior of the database backup 104. In phase 1 the database backup104 is broken into fragment F1, fragment F2 and fragment F3 representedby three interconnecting shapes. At the same time, fragment nodeassociations 410 are made based on the number of fragments and availablenodes. A call is made to available nodes in the secure network andeligible nodes on the secure network respond with their node address.Fragment node associations 410 are shown in table form and in thisexample the association is very simple: fragment F1 with node 110A;fragment F2 with node 110B; and fragment F3 with node 110C.

Phase 2 is represented by double arrows joining respective fragment to aparticular node. A dashed arrow represents a fragment and its associatednode where it will not be stored. Fragment F1 is stored in node 110B andnot its associated node 110A. Fragment F2 is stored in node 110C and notits associated node 110B. Fragment F3 is stored in node 110A and not itsassociated node 110C. The fragments are encrypted using a firstencryption key represented by a triangle shape. The double arrowrepresents the gathering back of the fragments prior to phase 3.

Referring to FIG. 5, in phase 3 the fragments have been gathered backand decrypted prior to redistribution to different nodes encrypted(re-encrypted) in a second encryption key. Therefore Fragment F1 isstored in node 110C and not its associated node 110A or previous node110B. Fragment F2 is stored in node 110A and not its associated node110B or previous node 110C. Fragment F3 is stored in node 110B and notits associated node 110C or previous node 110A. The fragments areencrypted used a second encryption key represented by a parallelogramshape. The double arrow represents the gathering back of the fragmentsprior to phase 4. In phase 4 the fragments are reassembled into databasebackup 104.

Additional embodiments of the invention are now described. It will beclear to one of ordinary skill in the art that all or part of thelogical process steps of one embodiment may be alternatively embodied ina logic apparatus, or a plurality of logic apparatus, comprising logicelements arranged to perform the logical process steps of the method andthat such logic elements may comprise hardware components, firmwarecomponents or a combination thereof.

It will be equally clear to one of skill in the art that all or part ofthe logic components of one embodiment may be alternatively embodied inlogic apparatus comprising logic elements to perform the steps of themethod, and that such logic elements may comprise components such aslogic gates in, for example a programmable logic array orapplication-specific integrated circuit. Such a logic arrangement mayfurther be embodied in enabling elements for temporarily or permanentlyestablishing logic structures in such an array or circuit using, forexample, a virtual hardware descriptor language, which may be stored andtransmitted using fixed or transmittable carrier media.

In a further alternative embodiment, the present invention may berealized in the form of a computer implemented method of deploying aservice comprising steps of deploying computer program code operable to,when deployed into a computer infrastructure and executed thereon, causethe computer system to perform all the steps of the method. It will beappreciated that the method and components of one embodiment mayalternatively be embodied fully or partially in a parallel computingsystem comprising two or more processors for executing parallelsoftware. A further embodiment of the invention is a computer programproduct defined in terms of a system and method. The computer programproduct may include a computer-readable storage medium (or media) havingcomputer-readable program instructions thereon for causing a processorto carry out aspects of the present invention.

The computer-readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable storage medium may be, for example, but isnot limited to, an electronic storage device, a magnetic storage device,an optical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. A non-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing. Acomputer readable storage medium, as used herein, is not to be construedas being transitory signals per se, such as radio waves or other freelypropagating electromagnetic waves, electromagnetic waves propagatingthrough a waveguide or other transmission media (for example, lightpulses passing through a fibre-optic cable), or electrical signalstransmitted through a wire.

Computer-readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network may comprisecopper transmission cables, optical transmission fibres, wirelesstransmission, routers, firewalls, switches, gateway computers and/oredge servers. A network adapter card or network interface in eachcomputing/processing device receives computer-readable programinstructions from the network and forwards the computer-readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer-readable program instructions for carrying out operations ofthe present invention may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine-dependent instructions, microcode, firmware instructions,state-setting data, or either source code or object code written in anycombination of one or more programming languages, including an objectoriented programming language such as Smalltalk, C++ or the like, andconventional procedural programming languages, such as the “C”programming language or similar programming languages. The computerreadable program instructions may execute entirely on the user'scomputer, partly on the user's computer, as a stand-alone softwarepackage, partly on the user's computer and partly on a remote computeror entirely on the remote computer or server. In the latter scenario,the remote computer may be connected to the user's computer through anytype of network, including a local area network (LAN) or a wide areanetwork (WAN), or the connection may be made to an external computer(for example, through the Internet using an Internet Service Provider).In some embodiments, electronic circuitry including, for example,programmable logic circuitry, field-programmable gate arrays (FPGA), orprogrammable logic arrays (PLA) may execute the computer readableprogram instructions by utilizing state information of the computerreadable program instructions to personalize the electronic circuitry,in order to perform aspects of the present invention.

Aspects of the embodiments are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products. It will be understood thateach block of the flowchart illustrations and/or block diagrams, andcombinations of blocks in the flowchart illustrations and/or blockdiagrams, can be implemented by computer-readable program instructions.

These computer-readable program instructions may be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks. These computer-readable program instructionsmay also be stored in a computer-readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that thecomputer-readable storage medium having instructions stored thereincomprises an article of manufacture including instructions whichimplement aspects of the function/act specified in the flowchart and/orblock diagram block or blocks.

The computer-readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

In another aspect of the invention there is provided a computer programstored on a computer readable medium and loadable into the internalmemory of a computer, comprising software code portions, when saidprogram is run on a computer, for performing all the steps of the methodclaims.

In another aspect of the invention there is provided a data carrieraspect of an embodiment that comprises functional computer datastructures to, when loaded into a computer system and operated uponthereby, enable said computer system to perform all the steps of themethod claims. A suitable data-carrier could be a solid-state memory,magnetic drive or optical disk. Channels for the transmission of datamay likewise comprise storage media of all descriptions as well assignal-carrying media, such as wired or wireless signal-carrying media.The embodiments operates at a machine and/or system level of a computerand below an overlying application level whereby application data isbacked up and restored.

The flowchart and block diagrams in the figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical function(s). In some alternativeimplementations, the functions noted in the block may occur out of theorder noted in the figures. For example, two blocks shown in successionmay, in fact, be executed substantially concurrently, or the blocks maysometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustration, and combinations of blocksin the block diagrams and/or flowchart illustration, can be implementedby special purpose hardware-based systems that perform the specifiedfunctions or acts or carry out combinations of special purpose hardwareand computer instructions.

It will be clear to one skilled in the art that many improvements andmodifications can be made to the foregoing exemplary embodiment withoutdeparting from the scope of the present invention.

What is claimed is:
 1. A system for secure database backup and recoveryin a secure database network having N distributed data nodes, the systemcomprising: a processor; a database system backup file; a fragmentengine for fragmenting, by the processor, the file into fragments; acoordination engine for associating, by the processor, each fragmentwith a node such that the node will not be used to store the fragment;one or more database agents for communicating, by the processor, thefragments to the nodes for storage and for retrieving, by the processor,the fragments a determined time later from the nodes wherein no fragmentis stored on its associated distinct node; and an encryption engine forencrypting fragments, by the processor and using a first key, beforestoring and decrypting the fragments, by the processor, on retrievalusing the first key wherein the fragments are further encrypted with adifferent key before storing again on said nodes and wherein fragmentsare not stored on their associated node but only on nodes that are notassociated with them.
 2. The system of claim 1 wherein storing andretrieval of fragments is performed by agents in the database system andsensors in the data nodes and wherein fragment node location is notstored in the database system.
 3. The system of claim 2 wherein afterretrieving each fragment from a respective node, the fragment is storedagain on a different node from the node it was retrieved from.
 4. Thesystem of claim 3 further comprising a key generator and store forfragmenting the key, encrypting each key fragment, and storing eachencrypted key fragment with a backup fragment.
 5. The system of claim 4wherein database metadata is added to the fragment and wherein databasemetadata is fragmented and distributed.
 6. The system of claim 5 whereinsuch database metadata includes, but is not limited to, networkconfiguration, database node locations and backup image expiration. 7.The system of claim 6 wherein the encryption is public and private keyencryption.